fix(ui): Move routes to /app to avoid conflict with API endpoints

Also test for regressions in HTTP GET API key exempted endpoints because
this list can get out of sync with the UI routes.

Signed-off-by: Richard Palethorpe <io@richiejp.com>

Author: richiejp

core/cli/run.go

@@ -68,7 +68,7 @@ type RunCMD struct {
 	UseSubtleKeyComparison             bool     `env:"LOCALAI_SUBTLE_KEY_COMPARISON" default:"false" help:"If true, API Key validation comparisons will be performed using constant-time comparisons rather than simple equality. This trades off performance on each request for resiliancy against timing attacks." group:"hardening"`
 	DisableApiKeyRequirementForHttpGet bool     `env:"LOCALAI_DISABLE_API_KEY_REQUIREMENT_FOR_HTTP_GET" default:"false" help:"If true, a valid API key is not required to issue GET requests to portions of the web ui. This should only be enabled in secure testing environments" group:"hardening"`
 	DisableMetricsEndpoint             bool     `env:"LOCALAI_DISABLE_METRICS_ENDPOINT,DISABLE_METRICS_ENDPOINT" default:"false" help:"Disable the /metrics endpoint" group:"api"`
-	HttpGetExemptedEndpoints           []string `env:"LOCALAI_HTTP_GET_EXEMPTED_ENDPOINTS" default:"^/$,^/browse/?$,^/talk/?$,^/p2p/?$,^/chat/?$,^/image/?$,^/text2image/?$,^/tts/?$,^/static/.*$,^/swagger.*$" help:"If LOCALAI_DISABLE_API_KEY_REQUIREMENT_FOR_HTTP_GET is overriden to true, this is the list of endpoints to exempt. Only adjust this in case of a security incident or as a result of a personal security posture review" group:"hardening"`
+	HttpGetExemptedEndpoints           []string `env:"LOCALAI_HTTP_GET_EXEMPTED_ENDPOINTS" default:"^/$,^/app(/.*)?$,^/browse(/.*)?$,^/login/?$,^/explorer/?$,^/assets/.*$,^/static/.*$,^/swagger.*$" help:"If LOCALAI_DISABLE_API_KEY_REQUIREMENT_FOR_HTTP_GET is overriden to true, this is the list of endpoints to exempt. Only adjust this in case of a security incident or as a result of a personal security posture review" group:"hardening"`
 	Peer2Peer                          bool     `env:"LOCALAI_P2P,P2P" name:"p2p" default:"false" help:"Enable P2P mode" group:"p2p"`
 	Peer2PeerDHTInterval               int      `env:"LOCALAI_P2P_DHT_INTERVAL,P2P_DHT_INTERVAL" default:"360" name:"p2p-dht-interval" help:"Interval for DHT refresh (used during token generation)" group:"p2p"`
 	Peer2PeerOTPInterval               int      `env:"LOCALAI_P2P_OTP_INTERVAL,P2P_OTP_INTERVAL" default:"9000" name:"p2p-otp-interval" help:"Interval for OTP refresh (used during token generation)" group:"p2p"`

core/http/app.go

@@ -270,8 +270,31 @@ func API(application *application.Application) (*echo.Echo, error) {
 			// Enable SPA fallback in the 404 handler for client-side routing
 			spaFallback = serveIndex
 
-			// Serve React SPA at /
-			e.GET("/", serveIndex)
+			// Serve React SPA at /app
+			e.GET("/app", serveIndex)
+			e.GET("/app/*", serveIndex)
+
+			// prefixRedirect performs a redirect that preserves X-Forwarded-Prefix for reverse-proxy support.
+			prefixRedirect := func(c echo.Context, target string) error {
+				if prefix := c.Request().Header.Get("X-Forwarded-Prefix"); prefix != "" {
+					target = strings.TrimSuffix(prefix, "/") + target
+				}
+				return c.Redirect(http.StatusMovedPermanently, target)
+			}
+
+			// Redirect / to /app
+			e.GET("/", func(c echo.Context) error {
+				return prefixRedirect(c, "/app")
+			})
+
+			// Backward compatibility: redirect /browse/* to /app/*
+			e.GET("/browse", func(c echo.Context) error {
+				return prefixRedirect(c, "/app")
+			})
+			e.GET("/browse/*", func(c echo.Context) error {
+				p := c.Param("*")
+				return prefixRedirect(c, "/app/"+p)
+			})
 
 			// Serve React static assets (JS, CSS, etc.)
 			serveReactAsset := func(c echo.Context) error {
@@ -291,15 +314,6 @@ func API(application *application.Application) (*echo.Echo, error) {
 				return echo.NewHTTPError(http.StatusNotFound)
 			}
 			e.GET("/assets/*", serveReactAsset)
-
-			// Backward compatibility: redirect /app/* to /*
-			e.GET("/app", func(c echo.Context) error {
-				return c.Redirect(http.StatusMovedPermanently, "/")
-			})
-			e.GET("/app/*", func(c echo.Context) error {
-				p := c.Param("*")
-				return c.Redirect(http.StatusMovedPermanently, "/"+p)
-			})
 		}
 	}
 	routes.RegisterJINARoutes(e, requestExtractor, application.ModelConfigLoader(), application.ModelLoader(), application.ApplicationConfig())

core/http/middleware/auth_test.go

@@ -0,0 +1,228 @@
+package middleware_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+
+	"github.com/labstack/echo/v4"
+	"github.com/mudler/LocalAI/core/config"
+	. "github.com/mudler/LocalAI/core/http/middleware"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+// ok is a simple handler that returns 200 OK.
+func ok(c echo.Context) error {
+	return c.String(http.StatusOK, "ok")
+}
+
+// newAuthApp creates a minimal Echo app with auth middleware applied.
+// Requests that fail auth with Content-Type: application/json get a JSON 401
+// (no template renderer needed).
+func newAuthApp(appConfig *config.ApplicationConfig) *echo.Echo {
+	e := echo.New()
+
+	mw, err := GetKeyAuthConfig(appConfig)
+	Expect(err).ToNot(HaveOccurred())
+	e.Use(mw)
+
+	// Sensitive API routes
+	e.GET("/v1/models", ok)
+	e.POST("/v1/chat/completions", ok)
+
+	// UI routes
+	e.GET("/app", ok)
+	e.GET("/app/*", ok)
+	e.GET("/browse", ok)
+	e.GET("/browse/*", ok)
+	e.GET("/login", ok)
+	e.GET("/explorer", ok)
+	e.GET("/assets/*", ok)
+	e.POST("/app", ok)
+
+	return e
+}
+
+// doRequest performs an HTTP request against the given Echo app and returns the recorder.
+func doRequest(e *echo.Echo, method, path string, opts ...func(*http.Request)) *httptest.ResponseRecorder {
+	req := httptest.NewRequest(method, path, nil)
+	req.Header.Set("Content-Type", "application/json")
+	for _, opt := range opts {
+		opt(req)
+	}
+	rec := httptest.NewRecorder()
+	e.ServeHTTP(rec, req)
+	return rec
+}
+
+func withBearerToken(token string) func(*http.Request) {
+	return func(req *http.Request) {
+		req.Header.Set("Authorization", "Bearer "+token)
+	}
+}
+
+func withXApiKey(key string) func(*http.Request) {
+	return func(req *http.Request) {
+		req.Header.Set("x-api-key", key)
+	}
+}
+
+func withXiApiKey(key string) func(*http.Request) {
+	return func(req *http.Request) {
+		req.Header.Set("xi-api-key", key)
+	}
+}
+
+func withTokenCookie(token string) func(*http.Request) {
+	return func(req *http.Request) {
+		req.AddCookie(&http.Cookie{Name: "token", Value: token})
+	}
+}
+
+var _ = Describe("Auth Middleware", func() {
+
+	Context("when API keys are configured", func() {
+		var app *echo.Echo
+		const validKey = "sk-test-key-123"
+
+		BeforeEach(func() {
+			appConfig := config.NewApplicationConfig()
+			appConfig.ApiKeys = []string{validKey}
+			app = newAuthApp(appConfig)
+		})
+
+		It("returns 401 for GET request without a key", func() {
+			rec := doRequest(app, http.MethodGet, "/v1/models")
+			Expect(rec.Code).To(Equal(http.StatusUnauthorized))
+		})
+
+		It("returns 401 for POST request without a key", func() {
+			rec := doRequest(app, http.MethodPost, "/v1/chat/completions")
+			Expect(rec.Code).To(Equal(http.StatusUnauthorized))
+		})
+
+		It("returns 401 for request with an invalid key", func() {
+			rec := doRequest(app, http.MethodGet, "/v1/models", withBearerToken("wrong-key"))
+			Expect(rec.Code).To(Equal(http.StatusUnauthorized))
+		})
+
+		It("passes through with valid Bearer token in Authorization header", func() {
+			rec := doRequest(app, http.MethodGet, "/v1/models", withBearerToken(validKey))
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+
+		It("passes through with valid x-api-key header", func() {
+			rec := doRequest(app, http.MethodGet, "/v1/models", withXApiKey(validKey))
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+
+		It("passes through with valid xi-api-key header", func() {
+			rec := doRequest(app, http.MethodGet, "/v1/models", withXiApiKey(validKey))
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+
+		It("passes through with valid token cookie", func() {
+			rec := doRequest(app, http.MethodGet, "/v1/models", withTokenCookie(validKey))
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+	})
+
+	Context("when no API keys are configured", func() {
+		var app *echo.Echo
+
+		BeforeEach(func() {
+			appConfig := config.NewApplicationConfig()
+			app = newAuthApp(appConfig)
+		})
+
+		It("passes through without any key", func() {
+			rec := doRequest(app, http.MethodGet, "/v1/models")
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+	})
+
+	Context("GET exempted endpoints (feature enabled)", func() {
+		var app *echo.Echo
+		const validKey = "sk-test-key-456"
+
+		BeforeEach(func() {
+			appConfig := config.NewApplicationConfig(
+				config.WithApiKeys([]string{validKey}),
+				config.WithDisableApiKeyRequirementForHttpGet(true),
+				config.WithHttpGetExemptedEndpoints([]string{
+					"^/$",
+					"^/app(/.*)?$",
+					"^/browse(/.*)?$",
+					"^/login/?$",
+					"^/explorer/?$",
+					"^/assets/.*$",
+					"^/static/.*$",
+					"^/swagger.*$",
+				}),
+			)
+			app = newAuthApp(appConfig)
+		})
+
+		It("allows GET to /app without a key", func() {
+			rec := doRequest(app, http.MethodGet, "/app")
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+
+		It("allows GET to /app/chat/model sub-route without a key", func() {
+			rec := doRequest(app, http.MethodGet, "/app/chat/llama3")
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+
+		It("allows GET to /browse/models without a key", func() {
+			rec := doRequest(app, http.MethodGet, "/browse/models")
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+
+		It("allows GET to /login without a key", func() {
+			rec := doRequest(app, http.MethodGet, "/login")
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+
+		It("allows GET to /explorer without a key", func() {
+			rec := doRequest(app, http.MethodGet, "/explorer")
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+
+		It("allows GET to /assets/main.js without a key", func() {
+			rec := doRequest(app, http.MethodGet, "/assets/main.js")
+			Expect(rec.Code).To(Equal(http.StatusOK))
+		})
+
+		It("rejects POST to /app without a key", func() {
+			rec := doRequest(app, http.MethodPost, "/app")
+			Expect(rec.Code).To(Equal(http.StatusUnauthorized))
+		})
+
+		It("rejects GET to /v1/models without a key", func() {
+			rec := doRequest(app, http.MethodGet, "/v1/models")
+			Expect(rec.Code).To(Equal(http.StatusUnauthorized))
+		})
+	})
+
+	Context("GET exempted endpoints (feature disabled)", func() {
+		var app *echo.Echo
+		const validKey = "sk-test-key-789"
+
+		BeforeEach(func() {
+			appConfig := config.NewApplicationConfig(
+				config.WithApiKeys([]string{validKey}),
+				// DisableApiKeyRequirementForHttpGet defaults to false
+				config.WithHttpGetExemptedEndpoints([]string{
+					"^/$",
+					"^/app(/.*)?$",
+				}),
+			)
+			app = newAuthApp(appConfig)
+		})
+
+		It("requires auth for GET to /app even though it matches exempted pattern", func() {
+			rec := doRequest(app, http.MethodGet, "/app")
+			Expect(rec.Code).To(Equal(http.StatusUnauthorized))
+		})
+	})
+})

core/http/react-ui/src/App.jsx

@@ -15,7 +15,7 @@ export default function App() {
   const { toasts, addToast, removeToast } = useToast()
   const [version, setVersion] = useState('')
   const location = useLocation()
-  const isChatRoute = location.pathname.startsWith('/chat') || location.pathname.match(/^\/agents\/[^/]+\/chat/)
+  const isChatRoute = location.pathname.match(/\/chat(\/|$)/) || location.pathname.match(/\/agents\/[^/]+\/chat/)
 
   useEffect(() => {
     systemApi.version()

core/http/react-ui/src/components/Sidebar.jsx

@@ -5,36 +5,36 @@ import ThemeToggle from './ThemeToggle'
 const COLLAPSED_KEY = 'localai_sidebar_collapsed'
 
 const mainItems = [
-  { path: '/', icon: 'fas fa-home', label: 'Home' },
-  { path: '/browse', icon: 'fas fa-download', label: 'Install Models' },
-  { path: '/chat', icon: 'fas fa-comments', label: 'Chat' },
-  { path: '/image', icon: 'fas fa-image', label: 'Images' },
-  { path: '/video', icon: 'fas fa-video', label: 'Video' },
-  { path: '/tts', icon: 'fas fa-music', label: 'TTS' },
-  { path: '/sound', icon: 'fas fa-volume-high', label: 'Sound' },
-  { path: '/talk', icon: 'fas fa-phone', label: 'Talk' },
+  { path: '/app', icon: 'fas fa-home', label: 'Home' },
+  { path: '/app/models', icon: 'fas fa-download', label: 'Install Models' },
+  { path: '/app/chat', icon: 'fas fa-comments', label: 'Chat' },
+  { path: '/app/image', icon: 'fas fa-image', label: 'Images' },
+  { path: '/app/video', icon: 'fas fa-video', label: 'Video' },
+  { path: '/app/tts', icon: 'fas fa-music', label: 'TTS' },
+  { path: '/app/sound', icon: 'fas fa-volume-high', label: 'Sound' },
+  { path: '/app/talk', icon: 'fas fa-phone', label: 'Talk' },
 ]
 
 const agentItems = [
-  { path: '/agents', icon: 'fas fa-robot', label: 'Agents' },
-  { path: '/skills', icon: 'fas fa-wand-magic-sparkles', label: 'Skills' },
-  { path: '/collections', icon: 'fas fa-database', label: 'Memory' },
-  { path: '/agent-jobs', icon: 'fas fa-tasks', label: 'MCP CI Jobs', feature: 'mcp' },
+  { path: '/app/agents', icon: 'fas fa-robot', label: 'Agents' },
+  { path: '/app/skills', icon: 'fas fa-wand-magic-sparkles', label: 'Skills' },
+  { path: '/app/collections', icon: 'fas fa-database', label: 'Memory' },
+  { path: '/app/agent-jobs', icon: 'fas fa-tasks', label: 'MCP CI Jobs', feature: 'mcp' },
 ]
 
 const systemItems = [
-  { path: '/backends', icon: 'fas fa-server', label: 'Backends' },
-  { path: '/traces', icon: 'fas fa-chart-line', label: 'Traces' },
-  { path: '/p2p', icon: 'fas fa-circle-nodes', label: 'Swarm' },
-  { path: '/manage', icon: 'fas fa-desktop', label: 'System' },
-  { path: '/settings', icon: 'fas fa-cog', label: 'Settings' },
+  { path: '/app/backends', icon: 'fas fa-server', label: 'Backends' },
+  { path: '/app/traces', icon: 'fas fa-chart-line', label: 'Traces' },
+  { path: '/app/p2p', icon: 'fas fa-circle-nodes', label: 'Swarm' },
+  { path: '/app/manage', icon: 'fas fa-desktop', label: 'System' },
+  { path: '/app/settings', icon: 'fas fa-cog', label: 'Settings' },
 ]
 
 function NavItem({ item, onClose, collapsed }) {
   return (
     <NavLink
       to={item.path}
-      end={item.path === '/'}
+      end={item.path === '/app'}
       className={({ isActive }) =>
         `nav-item ${isActive ? 'active' : ''}`
       }

core/http/react-ui/src/hooks/useOperations.js

@@ -8,6 +8,7 @@ export function useOperations(pollInterval = 1000) {
   const intervalRef = useRef(null)
 
   const previousCountRef = useRef(0)
+  const onAllCompleteRef = useRef(null)
 
   const fetchOperations = useCallback(async () => {
     try {
@@ -19,10 +20,9 @@ export function useOperations(pollInterval = 1000) {
       const activeOps = ops.filter(op => !op.error)
       const failedOps = ops.filter(op => op.error)
 
-      // Auto-refresh the page when all active operations complete (mirrors original behavior)
-      // but not when there are still failed operations being shown
+      // Notify when all operations complete (no active or failed remaining)
       if (previousCountRef.current > 0 && activeOps.length === 0 && failedOps.length === 0) {
-        setTimeout(() => window.location.reload(), 1000)
+        onAllCompleteRef.current?.()
       }
       previousCountRef.current = activeOps.length
 
@@ -64,5 +64,10 @@ export function useOperations(pollInterval = 1000) {
     }
   }, [fetchOperations, pollInterval])
 
-  return { operations, loading, error, cancelOperation, dismissFailedOp, refetch: fetchOperations }
+  // Allow callers to register a callback for when all operations finish
+  const onAllComplete = useCallback((cb) => {
+    onAllCompleteRef.current = cb
+  }, [])
+
+  return { operations, loading, error, cancelOperation, dismissFailedOp, refetch: fetchOperations, onAllComplete }
 }

core/http/react-ui/src/pages/AgentChat.jsx

@@ -456,7 +456,7 @@ export default function AgentChat() {
               <i className="fas fa-layer-group" /> {artifacts.length}
             </button>
           )}
-          <button className="btn btn-secondary btn-sm" onClick={() => navigate(`/agents/${encodeURIComponent(name)}/status`)} title="View status & observables">
+          <button className="btn btn-secondary btn-sm" onClick={() => navigate(`/app/agents/${encodeURIComponent(name)}/status`)} title="View status & observables">
             <i className="fas fa-chart-bar" /> Status
           </button>
           <button className="btn btn-secondary btn-sm" onClick={() => clearMessages()} disabled={messages.length === 0} title="Clear chat history">